Showing results for 
Search instead for 
Did you mean: 

SD-WAN -- Management VPN 512 / Config Backups

Level 4
Level 4

Got a two part question today...


1. I have seen lots of mention of VPN512 (management VPN) in documentation and presentations, but I have yet to see a practical use demonstrated. Does anyone have thoughts on best practice to use this / are people actually using it?

*I have take notice that the vManage and vSmart controllers have the ability to have an interface configured for this VPN, is this the only way to get direct management access to them via overlay network? (I'm using the hosted solution, so I'm currently only able to get them through the vManage SSH console right now).


2. Is anyone doing configuration backups? I am used to using something like Kiwi Cat Tools to SSH to devices and grab "show run", back that up and let me know about changes in the environment on a regular schedule (more people than just my self making changes on my team). I am using the hosted solution, so I am trusting that Cisco is covering the smoking hole scenario for the controllers, and the edge configurations live there in the templates.... I'm more worried about human error scenarios where I accidentally delete a policy and don't remember what was in it to recreate it, or the ability to look back at how something was configured when we knew it was in a working state and now its not (perhaps after an upgrade). Also just to be aware of what changes are happening, and yes I am aware of the audit log, but that's just telling me a change happened to some parent object, but not the details of what the actual changes were.

2 Replies 2

Cisco Employee
Cisco Employee
1. from the documentation "VPN 512 must be present on all Viptela devices so that they are always reachable on the network."
in general, it's quiet common approach to used dedicated VRF/VPN for secure management purpose
2. you can backup configuration database with "request nms configuration-db backup path /home/admin/backup_path" on regular basis

Regarding VPN 512, it only has meaning if the devices are on-prem and can be connected (via their VPN 512 interface) to some out-of-band management network. 


For remote (remote from your management infrastructure) devices VPN 512 is a bit useless and you have to use a management loopback or some such in a service VPN. Or you don't use that and your only option is to connect via the system IP from vmanage.